Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

How to add a DSRM startup option in Windows Server 2008 and Windows Server 2008 R2

Since Windows Server 2008, Microsoft no longer offers the ability to restart a Domain Controller in Directory Services Restore Mode (DSRM) from the default F8 boot menu.

About Directory Services Restore Mode

For Windows Server-based Domain Controllers, a special startup mode exists, where the Active Directory database isn’t loaded. This startup mode is called the Directory Services Restore Mode (DRSM). After logging in with the DSRM account, an admin can use this mode to troubleshoot Active Directory issues. The DSRM account does not live in Active Directory and its password is set on each Domain Controller. The password may, therefore, not be identical on all Domain Controller in the forest.

In Windows Server 2008 and Windows Server 2008 R2, several enhancements were made that affect the Directory Services Restore Mode:

  • Restartable Active Directory
    Restartable Active Directory eliminates many of the reason to restart a Domain Controller in Directory Services Restore Mode (DSRM), with its capabilities to stop and start the Active Directory Domain Services. Reasons include offline defragmentation, However, restoring a previously made (system state) backup can only be performed within the Directory Services Restore Mode.
         
  • DSRM Admin Logon Behavior
    When the Active Directory is stopped (through Restartable Active Directory) or not loaded (in Directory Services Restore Mode) you can use the DSRM password and Domain credentials to log in on the Domain Controller. The second option is only when other operational Domain Controllers exist in the domain. This behavior can be modified using the DSRMAdminLogonBehavior registry key, as described here
        
  • Active Directory Recycle Bin
    Directory Services Restore Mode is needed to restore objects in Active Directory from backup. The Active Directory Recycle Bin option in an all-Windows Server 2008 R2 forest, alleviates the need to use backups with built-in restore functionality. 
      
  • Password syncing for the DSRM account
    A feature is available for Windows Server 2008 that lets you synchronize the DSRM Administrator password with a domain user account. You can read more on this in Microsoft KnowledgeBase article 961320.

 

Default behavior in Windows Server 2008

According to this TechNet page, the procedure to access the Directory Services Restore Mode in Windows Server 2008 and Windows Server 2008 R2 is to either:

  • Use the System Configuration utility (msconfig.exe) and on the Boot tab select Safe Boot and specify the Active Directory repair option. Then restart.

System Configuration utility with DSRM selected (click for larger screenshot)

  • Use the commandline: bcdedit /set safeboot dsrepair and restart. When done in Directory Services Restore Mode, type bcdedit /deletevalue safeboot and restart normally again.

When you’re deep in an undisclosed brown substance, however, these options are at least time consuming to perform. You can use the commandline when you choose to repair the Windows installation, but for this you’ll need to start from the Windows Server DVD, which might of might not be within reach, scratched or left in direct sunlight…

    

Adding the DSRM startup option

So, why not add the Directory Services Restore Mode startup option to the F8 boot menu as a default step after you’ve created a new Domain Controller? When you create a Domain Controller, normally, you’ll find some time to check its configuration, in contrast to the situation described earlier.

To add a Directory Services Restore Mode startup option to the Boot Configuration Database (BCD), perform the following commands:

bcdedit /copy {current} /d "Directory Services Restore Mode"

This command copies to current boot option ("Startup Normally") to a new startup option called "Directory Services Restore Mode". (If you want to use a different name, go ahead.)

Use the GUID from the above command, including the brackets) in the following command:

bcdedit /set {GUID} safeboot dsrepair

You’ve now added the startup option to the menu. If you want to make the Boot Menu visible by default every time the server (re)boots (instead of having to press F8), perform the following (optional) command, where you specify the seconds to display the menu:

bcdedit /timeout 5

In the example above, the menu gets displayed for five seconds. The result is a screen, every time you start or restart the Domain Controller, that will look something like this:

Windows Boot Manager with DSRM option available (click for larger screenshot)

       

Concluding

I recommend every Active Directory administrator to perform the steps above to create a Directory Services Restore Mode (DSRM) startup entry. Whether you also specify a time-out by default is a choice, that depends on experience, your level of expertise, and your level of confidence.

Other DirTeam posts on this topic

Managing The DSRM Administrator Account   
Logging On With The DSRM Administrator Account   
Is your Authoritative Restore being undone?   
And you will keep your password updated …   
Backup and restore of Active Directory  

Further reading

Restart the Domain Controller in Directory Services Restore Mode Locally 
Restart the Domain Controller in Directory Services Restore Mode Remotely 
Restartable AD DS Step-by-Step Guide     
Securing the Directory Services Restore Mode Account 
What Username and Password Do I Need to Use for Directory Services Restore Mode  
Directory Services Restore to Virtual from Physical

Comments

No Comments

Anonymous comments are disabled